BCS, The Chartered Institute for IT, is leading a new effort to improve cybersecurity within the NHS in a bid to head off another WannaCry-style incident.
Its newly released Blueprint for Cyber Security in Health and Care highlights that crucial staffing challenges have been behind many of the Health Service’s woes of late.
It points to a lack of trained, registered and accountable cybersecurity professionals in the NHS who can make sure hospital systems are fit for purpose, making an incident such as the widespread ransomware outage last month “inevitable”.
Nearly 50 Trusts were hit by WannaCry in May, forcing cancellation of key appointments and operations.
The blueprint calls for a collaborative response from individual professionals, industry bodies, patient organizations, policymakers and other stakeholders.
The 2020 roadmap will hope to create: clear standards of practice for NHS boards, standards for professional accreditations, the training of IT pros in the industry to ensure they attain these standards, advice for boards to better understand their responsibilities and new research to map changes to the NHS and develop new standards.
BCS director of policy, David Evans, claimed the Chartered Institute wasn’t looking to “land-grab” but instead make use of existing accreditations.
“I don’t care if you’re chartered through us, or meet a similar standard through IISP or (ISC)2. What I care about is that you have something appropriate, and that people on NHS boards know that there is a definitive list of who they can trust,” he told Infosecurity.
“If an NHS board can know who to ask, and know what to ask, they will at the very least know what trade-offs on spending they will be making. If as a result of that there is a systemic lack of funding then that can be dealt with at a policy level.”
One outcome he’s hoping to achieve is connecting local professionals more closely with the services offered by NHS Digital through the Data Security Centre.
It’s all about creating a movement where stakeholders can work collectively as a “community of professionals” rather than a “bunch of corporations”.
“If there was a broad connected community of people who were cyber-qualified – across multiple institutions, and across multiple sectors – then there would be a mechanism to share ideas and good practice, provide mutual support etc. As well as creating a more secure environment it should also create a more efficient one,” Evans explained.
“For example, securing an MRI scanner with out-of-date software is a problem that, broadly speaking, you should solve once and then have available as a stock solution-set. What we’re dealing with is very complex and ever-changing, but a lot of it is repeatable and adaptable. This also has the potential for a more structured approach to security vendors, and create greater assurance of value for money.”